On 19/02/2012 5:42 a.m., ALAA MURAD wrote:
Dear Amos , Thanks again for your continues support. I hope at the end of this we can have a complete and a simple configuration for everyone that want to have a simple secure reverse proxy. I always like to do things the right way, but the SSL is the only thing standing in my way. I really don't like the 'sslflags=DONT_VERIFY_PEER' either but removing it causing many problems. As you can see from https_port 443 cert=C:/Interceptor/cert/baj.cert key=C:/Interceptor/cert/baj.key Those are the OpenSSL Pem conversion for my actual domain certificate, I did also generate a pem for the CA, and tried all possible combination of capath , cafile, clientca& sslproxy_capath to insert this certificate CA but without success (getting different errors)
Nono. The root CA are installed into OpenSSL directly. See the google links below.
So as you said "Without it Squid attempts to validate the peer SSL certificate against the root CA Squid (via the openssl library) trusts." I'm not sure what is the connection between the two , I do have OpenSSL installed but only for conversion of the certificates (from cert, to pem) (Not even installed on my production squid !).
Openssl libraries (libssl ?) are what do all the work. The squid.conf settings are just telling Squid what to send to openSSL for each type of SSL connection: client connections (http_port), server connections (sslproxy_*) and peer connections (cache_peer).
My question, how to add the CA cert to OpenSSL or Squid ?
There seems to be a few tutorials on it: http://www.google.com/search?q=add+a+custom+CA+to+openssl Amos
